The Ultimate Guide to Smart Speakers Understanding the Spy Inside Your Speaker

Understanding the Spy Inside Your Speaker

Allowing a smart speaker into your house is an act of trust. After all, it’s a listening device connected to the outside world. Consumers wouldn’t knowingly invite someone to bug their home, so these new voice platforms need to respect your privacy and provide reasonable security. As you consider taking a leap of faith by installing one or more smart speakers, it helps to know about how these systems work and how to best protect yourself from any mischief.

First off, these speakers aren’t constantly transmitting or recording your household’s audible activity. Although their microphones are always listening, they remain deaf to your chatter until triggered by a wake word. For an Amazon Echo, that would be “Alexa,” though the Alexa app allows you to customize your wake word for Echo products. For Google Home, you’d say “OK, Google” or “Hey, Google” to activate the artificial intelligence. Apple’s HomePod listens for “Hey, Siri.” Only after the system is awoken will it reach out to the company’s servers—via an encrypted connection—to seek a response to your query, or to place your order through the internet for a dozen long-stemmed roses.


Second, smart speakers aren’t really considered vulnerable to traditional hack attacks from the outside world because they aren’t directly accessible by anyone beyond the servers at Amazon, Google, Apple, or Microsoft (depending on the platform). Nonetheless, the security experts at Symantec say that a smart speaker could conceivably be vulnerable to reconfiguration by a compromised computer on the same network that does get hacked (although they have no record of this occurring to date). So, having your Wi-Fi network properly secured and password-protected is as critical as always.

Beyond this, avoiding trouble with your smart speaker is largely a function of understanding and making wise decisions in the speaker’s setup and use. Here are some basic steps, courtesy of Symantec, to protect your privacy and avoid misuse of your smart speakers:

• As previously mentioned, connect only with secure Wi-Fi. That means your neighbors won’t get a free ride on your internet service unless you give them your password—you know, the one you should regularly change. And use a router that allows you to set up a dedicated guest network for visiting friends and family so you can maintain the privacy of your primary network at all times.

• Consider smart speakers that allow you to disable the microphones at will if you feel the need. The Alexa-driven Sonos One and the Echo speakers, for example, have a button on top to toggle the mics off until it’s pressed again. The Apple HomePod assistant can be disabled by saying “Hey Siri, stop listening” or by using the Apple Home app.

• Keep the account passwords for your Alexa, Google Home, or Apple Home app (that is, your Apple ID) secure to ensure someone can’t access them to reconfigure your speaker or view your requests history from another device.

• Be aware of the dangers of enabling features like Amazon’s Drop In and Apple’s Personal Requests. Drop In is an intercom feature that allows other smart speakers in your home that you’ve designated, or even speakers owned by one of your contacts who has been granted permission, to automatically connect with and communicate with your smart speaker. It can be deactivated in the Alexa app if you have privacy concerns. Enabling Personal Requests with the HomePod allows you to place phone calls from the speaker, or for you—or anyone who strolls up to it—to send a text or hear your recent texts recited out loud. This is defeatable during setup or at any time in the Home app.

• Deactivate online purchasing in the setup app if there’s danger of children or mischief-makers ordering products or services from your device. Echo speakers have online purchasing turned on by default, but you can use the app to turn it off or enable purchasing only by reciting a four-digit PIN.

• Although automated door locks are frequently pitched as a feature of these platforms, think twice before connecting any home security device for voice control, lest an intruder unlock your home, or deactivate your security system or cameras, by shouting through the door.

• Keep in mind that Alexa and Google Home speakers make recordings of all your voice requests to better learn your individual voice signature and improve the performance of their voice recognition. These are visible as scrollable text in the respective app. You may from time to time want to delete sensitive requests from the app or delete all your recordings, though doing the latter may subtly affect performance. Erasing all recordings from an Alexa-enabled speaker requires logging onto your Amazon account online and selecting the device from the “Your Content and Devices” link in the Account drop-down menu.

It should be evident by these tips that it’s not outside forces that present the biggest danger to the security of your smart speaker, but rather their improper use and setup. By understanding your speaker’s features and applying common sense, you can feel confident in enjoying the benefits of smart speakers while minimizing any risk. For more tips, visit Symantec.—MA

barfle's picture

A new product scares the crap out of me. This is one. I don't know so far if the story is true, but there was a recent news item about a smart speaker sending conversations from one person's home to a friend of his. It was apparently an issue of permissions and a bug or two, but yes, this is permitting a large, impersonal company to bug your home.

I'll stay a luddite on this for a while.